Protecting Active Directory logins for remote working

by Chris Bunn on March 30, 2020

The boom in working from home has become a bonanza for cyber attackers. Each time an employee connects to the corporate network from their home they create an access point that can often be exploited. With Windows Active Directory (AD) still being the core identity and access platform for businesses around the world, the single best thing you can do to improve security is to protect the remote use of these Active Directory credentials.

Phishing the most vulnerable

According to the Cyber Threat Alliance, there is a flood of new phishing emails devoted to the coronavirus. And like COVID-19 itself, the hackers are now interested in the most vulnerable, your new remote workers. Phishing doesn’t attack Active Directory directly but it takes advantage of the employee’s desire to click a link. As your employees are self-isolating and feeling uncertain, the desire to click and connect has never been stronger!

Sponsorships Available

By looking to steal employee credentials, attackers want to then escalate privileges and move laterally within your network, looking for systems, applications and data of value that they can exploit. And what’s more, like coronavirus, you might not even know you are infected. According to the Ponemon Institute, the average time taken to discover a breach is 191 days.

The threat surface has rapidly expanded

In the best of times, the often inadequate protection of Active Directory logins puts businesses at significant cyber risk. And now, as the majority of business shift to working from home, this threat surface has rapidly expanded.

The risk is all the greater since we’ve all had to rapidly migrate to home working without the time to prepare. It has forced some companies to rush to allow Microsoft remote desktop (RDP) access.

Remote desktop access allows employees to access desktop resources that they need, without having to be on premise. This helps prevent the common issues that might arise for remote workers, such as not having enough computing power, or not having access to the files and applications they need.

The priority has been the continuation of operations, with perhaps cybersecurity not having the attention it deserves.

So, how can a business best protect remote AD login credentials?

Remote desktop access is not fully secure as in most cases it is only protected by a single password. Three key recommendations to protect these remote AD logins are to strengthen passwords, use a secure virtual private network (VPN) for all remote desktop access and enable two-factor authentication on these remote desktop connections.

These recommendations allows businesses to significantly improve the security of employees working from home.

Two-Factor authentication on Active Directory logins is a security enhancement that asks employees to present two pieces of evidence when logging into an account. UserLock makes this easy by working closely alongside Active Directory to offer 2FA and full access management on all Windows logins and RDP connections. It can be added to all remote access requests and involves the employee using either an application authenticator or token as their second factor.

A full list of recommendations by experts to fully minimize the risk are summarized as follows:

1. Implement a remote workers equipment policy:
As far as possible, favor remote working by using the means available, secured and controlled by the company itself. When this is not possible, give clear usage and security guidelines to employees.
2. Secure your external access:
Secure connections to your infrastructure by using a “VPN” (Virtual Private Network). When possible, limit VPN access to only authorized laptops. Any attempt to access from another machine should be denied.
3. Strengthen your password management policy:
The passwords must be long enough, complex and unique on each device or service used. Activate two-factor authentication on remote connections, especially for connections to the network itself.
4. Have a strict policy for security updates:
Deploy as soon as they are available and on all accessible equipment in your information system because cybercriminals quickly exploit such vulnerabilities.
5. Tighten the backup of your data and activities:
Backups will sometimes be the only way for the company to recover its data following a cyber-attack. Backups should be performed and tested regularly to ensure that they are working.
6. Use professional antiviral solutions:
Professional antiviral solutions can protect companies from most known viral attacks, but also sometimes from phishing messages, or even from certain ransomware.
7. Set up logging of the activity of all your infrastructure equipment:
Have systematic logging of all access and activities of your infrastructure equipment (servers, firewall, proxy…), and workstations themselves. This auditing will often be the only way to be way to understand how a cyber-attack may have occurred, the extent of the attack and how to remedy it.
8. Supervise closely the activity of all external accesses and sensitive systems:
Monitoring RDP connections and all access to files and folders is a great way to detect any abnormal access which could be the sign of a cyber-attack. For example a suspicious connection of an unknown user, or of a known user outside of its usual hour, or an unusual volume or activity to sensitive files and folders. Real-time alerts and an immediate response allow you to act before any damage is caused.
9. Raise awareness and provide reactive support to your remote work collaborators:
Give remote workers clear instructions on what they can and cannot do and raise awareness of the security risks linked to remote working. Users are often the first barrier to avoid or even detect cyber-attacks.
10. Prepare for a cyber-attack:
News shows that no organization, whatever its size, is immune to a cyber-attack. The assessment of possible attack scenarios allows us to anticipate the measures to be taken to protect ourselves from them.
11. Leaders: get involved and lead!
The involvement and commitment of managers in security measures is essential, as is their behavior, which must be exemplary in order to ensure the adhesion of employees.